is this a hacker ?

[gordypordy]

Hi,

My server has been showing high loads at various times over the past few days.
I checked my logs, and found some strange information. I'm not sure if this is a hacking attempt, or if they in fact have gained access, or whether somebody is using a script to try and gain access.

This is a snapshot taken from my ACCESS_LOG file:
####################

218.232.96.150 - - [31/Jan/2006:18:47:47 -0500] "GET /x0x0x0x0x0x0x0x0x0/ThisFileMustNotExist HTTP/1.0" 404 137
218.232.96.150 - - [31/Jan/2006:18:47:47 -0500] "GET /xmlrpc.php HTTP/1.0" 404 137
218.232.96.150 - - [31/Jan/2006:18:47:48 -0500] "GET /xmlrpc/xmlrpc.php HTTP/1.0" 404 137
218.232.96.150 - - [31/Jan/2006:18:47:48 -0500] "GET /xmlsrv/xmlrpc.php HTTP/1.0" 404 137
218.232.96.150 - - [31/Jan/2006:18:47:49 -0500] "GET /x0x0x0x0x0x0x0x0x0/ThisFileMustNotExist HTTP/1.0" 404 137
218.232.96.150 - - [31/Jan/2006:18:47:49 -0500] "GET /blog/xmlrpc.php HTTP/1.0" 404 137
218.232.96.150 - - [31/Jan/2006:18:47:49 -0500] "GET /xmlrpc.php HTTP/1.0" 404 137
218.232.96.150 - - [31/Jan/2006:18:47:49 -0500] "GET /drupal/xmlrpc.php HTTP/1.0" 404 137
218.232.96.150 - - [31/Jan/2006:18:47:49 -0500] "GET /xmlrpc/xmlrpc.php HTTP/1.0" 404 137
218.232.96.150 - - [31/Jan/2006:18:47:49 -0500] "GET /community/xmlrpc.php HTTP/1.0" 404 137
218.232.96.150 - - [31/Jan/2006:18:47:50 -0500] "GET /xmlsrv/xmlrpc.php HTTP/1.0" 404 137
218.232.96.150 - - [31/Jan/2006:18:47:50 -0500] "GET /blogs/xmlrpc.php HTTP/1.0" 404 137
218.232.96.150 - - [31/Jan/2006:18:47:50 -0500] "GET /x0x0x0x0x0x0x0x0x0/ThisFileMustNotExist HTTP/1.0" 404 137
218.232.96.150 - - [31/Jan/2006:18:47:50 -0500] "GET /blog/xmlrpc.php HTTP/1.0" 404 137
218.232.96.150 - - [31/Jan/2006:18:47:50 -0500] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 137
218.232.96.150 - - [31/Jan/2006:18:47:50 -0500] "GET /xmlrpc.php HTTP/1.0" 404 137
218.232.96.150 - - [31/Jan/2006:18:47:51 -0500] "GET /drupal/xmlrpc.php HTTP/1.0" 404 137
218.232.96.150 - - [31/Jan/2006:18:47:51 -0500] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 137
218.232.96.150 - - [31/Jan/2006:18:47:51 -0500] "GET /xmlrpc/xmlrpc.php HTTP/1.0" 404 137
218.232.96.150 - - [31/Jan/2006:18:47:51 -0500] "GET /community/xmlrpc.php HTTP/1.0" 404 137
218.232.96.150 - - [31/Jan/2006:18:47:51 -0500] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 137
218.232.96.150 - - [31/Jan/2006:18:47:51 -0500] "GET /x0x0x0x0x0x0x0x0x0/ThisFileMustNotExist HTTP/1.0" 404 137
218.232.96.150 - - [31/Jan/2006:18:47:51 -0500] "GET /xmlsrv/xmlrpc.php HTTP/1.0" 404 137
218.232.96.150 - - [31/Jan/2006:18:47:51 -0500] "GET /blogs/xmlrpc.php HTTP/1.0" 404 137
218.232.96.150 - - [31/Jan/2006:18:47:51 -0500] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 137
218.232.96.150 - - [31/Jan/2006:18:47:52 -0500] "GET /xmlrpc.php HTTP/1.0" 404 137
218.232.96.150 - - [31/Jan/2006:18:47:52 -0500] "GET /x0x0x0x0x0x0x0x0x0/ThisFileMustNotExist HTTP/1.0" 404 137
218.232.96.150 - - [31/Jan/2006:18:47:52 -0500] "GET /blog/xmlrpc.php HTTP/1.0" 404 137
218.232.96.150 - - [31/Jan/2006:18:47:52 -0500] "GET /x0x0x0x0x0x0x0x0x0/ThisFileMustNotExist HTTP/1.0" 404 137
218.232.96.150 - - [31/Jan/2006:18:47:52 -0500] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 137
218.232.96.150 - - [31/Jan/2006:18:47:52 -0500] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 137
218.232.96.150 - - [31/Jan/2006:18:47:52 -0500] "GET /xmlrpc/xmlrpc.php HTTP/1.0" 404 137
218.232.96.150 - - [31/Jan/2006:18:47:52 -0500] "GET /xmlrpc.php HTTP/1.0" 404 137
218.232.96.150 - - [31/Jan/2006:18:47:52 -0500] "GET /drupal/xmlrpc.php HTTP/1.0" 404 137
218.232.96.150 - - [31/Jan/2006:18:47:52 -0500] "GET /xmlrpc.php HTTP/1.0" 404 137
218.232.96.150 - - [31/Jan/2006:18:47:52 -0500] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 137
218.232.96.150 - - [31/Jan/2006:18:47:52 -0500] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 137
218.232.96.150 - - [31/Jan/2006:18:47:52 -0500] "GET /xmlsrv/xmlrpc.php HTTP/1.0" 404 137
218.232.96.150 - - [31/Jan/2006:18:47:53 -0500] "GET /xmlrpc/xmlrpc.php HTTP/1.0" 404 137
218.232.96.150 - - [31/Jan/2006:18:47:53 -0500] "GET /community/xmlrpc.php HTTP/1.0" 404 137
218.232.96.150 - - [31/Jan/2006:18:47:53 -0500] "GET /xmlrpc/xmlrpc.php HTTP/1.0" 404 137
218.232.96.150 - - [31/Jan/2006:18:47:53 -0500] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 137
218.232.96.150 - - [31/Jan/2006:18:47:53 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 137
218.232.96.150 - - [31/Jan/2006:18:47:53 -0500] "GET /blog/xmlrpc.php HTTP/1.0" 404 137
218.232.96.150 - - [31/Jan/2006:18:47:53 -0500] "GET /xmlsrv/xmlrpc.php HTTP/1.0" 404 137
218.232.96.150 - - [31/Jan/2006:18:47:53 -0500] "GET /x0x0x0x0x0x0x0x0x0/ThisFileMustNotExist HTTP/1.0" 404 137
218.232.96.150 - - [31/Jan/2006:18:47:53 -0500] "GET /blogs/xmlrpc.php HTTP/1.0" 404 137
218.232.96.150 - - [31/Jan/2006:18:47:53 -0500] "GET /xmlsrv/xmlrpc.php HTTP/1.0" 404 137
##################
This is only a PART of it as the post would not allow the full amount!

This type of stuff has been appearing frequently over the last couple of weeks. The problem is, it is from a variety of different IP addresses. I don;t know if this is some type of DDOS attack, a hacker using a proxy or what.

Anybody any suggestions ?

[elleryjh]

More likely it's a worm on multiple servers.


Something like this:
http://securityresponse.symantec.com...ux.plupii.html

[simplestar]

You should make use of your Mod_Sec and apply some 'GET" rules.

[gordypordy]

Hi,

Okay I ran chkrootkit and it came up with the following:

Checking `bindshell'... INFECTED (PORTS: 465)


I'm not too hot on this subject, so how would I go about treating this?

I have AFP installed on ther server, and I don't think 465 is a common port so how it got infected is a mystery. But the problem is fixing it, how would I go about that?

[chirpy]

It's a false-positive. Port 465 is used for ssmtp (SMTP over SSL).